Policy Contents

Acceptable Use of Research Foundation Proprietary Data Outside the RF Business System

Summary

The integrity and confidentiality of Research Foundation (RF) data must be protected when RF proprietary data are combined into a non-RF business system.

Policy Statement

RF proprietary data are private and confidential data that must be protected. All proprietary data extracted from the RF business system must be protected from unauthorized access. Individuals with authorized access to RF proprietary data are required to adhere to the following University at Buffalo (UB) information security policies to provide a secure environment where the privacy and confidentiality of proprietary data are protected.

New York State Information Security Policy

The New York State (NYS) Information Security Policy is a comprehensive policy that sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment. UB has adopted the NYS Information Security Policy as its umbrella computer and information security policy.

University at Buffalo Password Policy

This policy establishes the requirements that all UB passwords must follow.

University at Buffalo Protection of Regulated Private Data Policy

This policy outlines the university’s commitment to protecting regulated private data to safeguard the privacy of the university community, reduce the threat of identity theft, and comply with state and federal laws and regulations

University at Buffalo Data Access and Security Policy

This policy defines the access requirements for regulated private data and includes the roles and responsibilities for those granting access.

UB Minimum Server Security and Hardening Standards

Background

The Research Foundation central office has issued the Policy on Acceptable Use of Research Foundation Data Outside of RF Business Systems, providing campus requirements for access to and use of proprietary data the RF considers being private and confidential. In order to comply with the RF policy, a University at Buffalo campus policy is required to ensure that:

The university provides a secure environment with proper controls to protect the privacy, integrity, and confidentiality of extracted proprietary data combined in a non-RF business system

Appropriate campus policies, procedures, and standards are in place to ensure that access and use of the data are consistent with a business need-to-know

Applicability

This policy applies to all university entities, any official or administrator with responsibilities for managing extracted proprietary RF data, and those employees who are entrusted with extracted proprietary RF data.

Compliance

Any employee or student who breaches this policy on confidentiality of extracted proprietary RF data will be subject to disciplinary action and sanctions up to and including discharge and dismissal in accordance with university policy and procedures.

High-level data that is not considered private and confidential including financial sponsored program data at the aggregate level (no detail) and personal data limited to name, work telephone number, department, location, and employee identification number (as long as this number or its placement in a sequence of numbers does not identify the person’s employer as the RF).

Responsibility

Operations Manager (OM)

Certify that an environment with appropriate policies, procedures, and controls is in place to protect RF data.

Authorize access to RF proprietary data consistent with a business need to know.

Utilize the Authorization for Use of Research Foundation Data outside the RF Business System form, to annually provide the RF with a list (by name or job description) of university employees authorized to access extracted proprietary data.

In the event of a security breach or a suspected security breach, contact the RF. Follow the process outlined in the RF’s Notification Procedure for Electronic Breach of Information Security.

The OM or designee is authorized to provide proprietary RF data to a sponsor if the data is related to an applicable sponsored program grant or contract for which there is a contractual obligation to provide the information, or if providing the data is a requirement of obtaining a sponsored program grant or contract.

Information Security Officer

Periodic scans of workstations, servers, and network traffic, for RF data may also be implemented.

Individuals Authorized to Access Extracted RF Proprietary Data

Complete the University at Buffalo Access to Information Compliance Form before access will be granted in order to acknowledge their responsibilities to protect the extracted proprietary RF data, comply with confidentiality requirements, and comply with all UB information security and data protection policies.